Content

Generic Dropper.p

Type
Trojan
SubType
Dropper
Discovery Date
10/11/2005
Length
varies
Minimum DAT
4602 (10/11/2005)
Updated DAT
6587 (01/12/2012)
Minimum Engine
5.4.00
Description Added
10/11/2005
Description Modified
12/10/2011 8:42 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Updated on 10-Dec-2011 ---

Aliases –

    • BitDefender - Gen:Trojan.Heur.GC.cq0@ubbHiUeb1
    • F-secure - Gen:Trojan.Heur.GC.cq0@ubbHiUeb1
    • Norman - W32/Banker.R!genr
    • Symantec - Trojan.Dropper

Upon execution, the Trojan drops a malicious file into the below mentioned location
    • %WinDir%\system32\com32.dll [Detected as BackDoor-FDG]

The following registry values have been added to the system
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ netsvcs\Parameters\
      ServiceDll = %WinDir%\system32\com32.dll
    • HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\ netsvcs \
      ImagePath =” %SystemRoot%\system32\svchost.exe -k netsvcs”

The above registry entries confirm that, the Trojan register as a service with the system and executes every time when the service starts.

Note – [%WinDir% - C:\WINDOWS]

-----

--- Updated on 9-Aug-2011 ---

File Information:

MD5: E022FCC62398F942F471676BB4B09C86
SHA1: 2938e3113e3c3544d5924eff761f1c8727515136

Once executed, this variant drops a copy of itself in the following path:

  • C:\MSCache.Bin\961328C16BB.exe

It will the execute this file, which will perform the other actions.

After that, it will inject malicious code in several running processes. Some proccesses that have been observed to be injected include:

  • svchost.exe
  • explorer.exe
  • services.exe
  • ctfmon.exe

The malware also change the following registry keys to lower the system security settings:

  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1: 0x00000001
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost: 00 00 00 00
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000000

These changes will disable any warning to the user that the connection have been redirected to a proxy, or that data is being sent without user interaction.

The malware then proceed to connect to the following urls

. POST hxxp:// uhfqds. com/dns/ home.php
. GET hxxps:// 91. 223. 82. 133/

The data on the POST request include information about the current user and the user's machine.

------- Updated on 13-Nov-2010 ---

File Information –

    • MD5 -37F7D9B656B60E9960F40C8F8E7C88ED
    • SHA1 - B6CCD46C49A1A618FDE16825BAD1456FF32C9EB3

When executed, spyware trojans run sliently in the background monitoring the victim's activity on the infected computer and record all or specific pre-defined data.

The Trojan gathers the following system information:

    • Computername
    • HomeDrive
    • Homepath
    • LOgonserver
    • Processeor_identifier
    • Processor_level
    • SystemDrive
    • Username
    • OS
    • Processor Architecture
    • User Domain

-------

-- Update July 12, 2010 --

Some variants have been received from field, which drop and execute following files:

  • %TEMP%\Jmj.exe
  • %TEMP%\Jmk.exe
  • %TEMP%\Jml.exe

Jmj.exe drops a DLL file (sshnas21.dll) in %SYSTEMROOT%\SYSTEM32 folder and register it as a service with displayname SSHNAS.

Jml.exe creates following two job files to launch Jgesoa.exe and Jml.exe:

  • {8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
  • {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

To start itself on reboot it creates following registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

                         JDK5SWFMZY = %TEMP%\Jml.exe

Jmk.exe drops a file Jgesoa.exe in %SYSTEMROOT% folder.

Finally, a batch file is created which deletes the original malware file.

Infected system is also observed to be connecting to following domains on TCP port 80:

  • best-arts-[removed].com
  • edrichfine[removed].com

-- Update March 4, 2009 --

Some variants have displayed the following characteristics.

The following data/value pairs have been added (class ID and value names may be random):

  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A} "(Default)" "kbdsgi"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "(Default)" "C:\WINDOWS\system32\kbdsgi.dIl"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "ThreadingModel" "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\kbdsgi "(Default)" "{CC22E8D6-3B73-077E-DD49-EA81789AB64A}"

The following files are added:

  • %WindDir%\system32\dsuiqxt.dat (filename may be random)
  • %WinDir%\system32\fldrcxnr.dat (filename may be random)
  • %WinDir%\system32\iologmrg.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dIl (filename may be random)

(Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update May 13, 2008 --

Upon execution, a new variant of Generic Dropper.p trojans drops the following files:

  • %WinDir%\system32\deskaspi.dat (filename may be random)
  • %WinDir%\system32\rtmra.dat (filename may be random)
  • %WinDir%\system32\rtmra.dIl (filename may be random, identified as Generic Spy.e trojan)
  • %WinDir%\system32\winstf.dat (filename may be random)
  • %WinDir%\system32\wlnotiey.dat (filename may be random)

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update November 7, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/deconstructing_the_fake_ftc_em.html?nav=rss_blog
--

The most recent variant of this threat arrived as the spam email messages.

Upon clicking the link, the following file is downloaded.

Upon runnng executable files, the following files are dropped:

  • %SystemDir%\GenuineLicence.exe 65,024 bytes (Generic Dropper.p trojan)
  • %SystemDir%\kbd.dll 5,632 bytes (Generic Keylogger trojan)
  • %SystemDir%\test.dll 31,744 bytes (Generic BackDoor.u trojan)

The trojan modifies the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "service" =  %SystemDir%\GenuineLicence.exe

Symptoms

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

Droppers are files which contain other binaries within their body. They act like a self-extracting ZIP file - taking the files stored inside and then installing them on the affected machine.

The types of files which are dropped by many droppers include other Trojans (such as Downloaders to download yet more files from the remote machine, BackDoors to allow the hacker remote access to the client machine as well as Dialers to change the dial-up settings of the client's Internet connection, normally to a premium rate number.

Characteristics

Characteristics -

--- Updated on 10-Dec-2011 ---

Aliases –

    • BitDefender - Gen:Trojan.Heur.GC.cq0@ubbHiUeb1
    • F-secure - Gen:Trojan.Heur.GC.cq0@ubbHiUeb1
    • Norman - W32/Banker.R!genr
    • Symantec - Trojan.Dropper

Upon execution, the Trojan drops a malicious file into the below mentioned location
    • %WinDir%\system32\com32.dll [Detected as BackDoor-FDG]

The following registry values have been added to the system
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ netsvcs\Parameters\
      ServiceDll = %WinDir%\system32\com32.dll
    • HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\ netsvcs \
      ImagePath =” %SystemRoot%\system32\svchost.exe -k netsvcs”

The above registry entries confirm that, the Trojan register as a service with the system and executes every time when the service starts.

Note – [%WinDir% - C:\WINDOWS]

-----

--- Updated on 9-Aug-2011 ---

File Information:

MD5: E022FCC62398F942F471676BB4B09C86
SHA1: 2938e3113e3c3544d5924eff761f1c8727515136

Once executed, this variant drops a copy of itself in the following path:

  • C:\MSCache.Bin\961328C16BB.exe

It will the execute this file, which will perform the other actions.

After that, it will inject malicious code in several running processes. Some proccesses that have been observed to be injected include:

  • svchost.exe
  • explorer.exe
  • services.exe
  • ctfmon.exe

The malware also change the following registry keys to lower the system security settings:

  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1: 0x00000001
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost: 00 00 00 00
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000000

These changes will disable any warning to the user that the connection have been redirected to a proxy, or that data is being sent without user interaction.

The malware then proceed to connect to the following urls

. POST hxxp:// uhfqds. com/dns/ home.php
. GET hxxps:// 91. 223. 82. 133/

The data on the POST request include information about the current user and the user's machine.

------- Updated on 13-Nov-2010 ---

File Information –

    • MD5 -37F7D9B656B60E9960F40C8F8E7C88ED
    • SHA1 - B6CCD46C49A1A618FDE16825BAD1456FF32C9EB3

When executed, spyware trojans run sliently in the background monitoring the victim's activity on the infected computer and record all or specific pre-defined data.

The Trojan gathers the following system information:

    • Computername
    • HomeDrive
    • Homepath
    • LOgonserver
    • Processeor_identifier
    • Processor_level
    • SystemDrive
    • Username
    • OS
    • Processor Architecture
    • User Domain

-------

-- Update July 12, 2010 --

Some variants have been received from field, which drop and execute following files:

  • %TEMP%\Jmj.exe
  • %TEMP%\Jmk.exe
  • %TEMP%\Jml.exe

Jmj.exe drops a DLL file (sshnas21.dll) in %SYSTEMROOT%\SYSTEM32 folder and register it as a service with displayname SSHNAS.

Jml.exe creates following two job files to launch Jgesoa.exe and Jml.exe:

  • {8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
  • {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

To start itself on reboot it creates following registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

                         JDK5SWFMZY = %TEMP%\Jml.exe

Jmk.exe drops a file Jgesoa.exe in %SYSTEMROOT% folder.

Finally, a batch file is created which deletes the original malware file.

Infected system is also observed to be connecting to following domains on TCP port 80:

  • best-arts-[removed].com
  • edrichfine[removed].com

-- Update March 4, 2009 --

Some variants have displayed the following characteristics.

The following data/value pairs have been added (class ID and value names may be random):

  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A} "(Default)" "kbdsgi"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "(Default)" "C:\WINDOWS\system32\kbdsgi.dIl"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "ThreadingModel" "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\kbdsgi "(Default)" "{CC22E8D6-3B73-077E-DD49-EA81789AB64A}"

The following files are added:

  • %WindDir%\system32\dsuiqxt.dat (filename may be random)
  • %WinDir%\system32\fldrcxnr.dat (filename may be random)
  • %WinDir%\system32\iologmrg.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dIl (filename may be random)

(Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update May 13, 2008 --

Upon execution, a new variant of Generic Dropper.p trojans drops the following files:

  • %WinDir%\system32\deskaspi.dat (filename may be random)
  • %WinDir%\system32\rtmra.dat (filename may be random)
  • %WinDir%\system32\rtmra.dIl (filename may be random, identified as Generic Spy.e trojan)
  • %WinDir%\system32\winstf.dat (filename may be random)
  • %WinDir%\system32\wlnotiey.dat (filename may be random)

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update November 7, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/deconstructing_the_fake_ftc_em.html?nav=rss_blog
--

The most recent variant of this threat arrived as the spam email messages.

Upon clicking the link, the following file is downloaded.

Upon runnng executable files, the following files are dropped:

  • %SystemDir%\GenuineLicence.exe 65,024 bytes (Generic Dropper.p trojan)
  • %SystemDir%\kbd.dll 5,632 bytes (Generic Keylogger trojan)
  • %SystemDir%\test.dll 31,744 bytes (Generic BackDoor.u trojan)

The trojan modifies the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "service" =  %SystemDir%\GenuineLicence.exe

Symptoms

Symptoms -

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A